4.8 List of Proxy Realms — ‘raddb/realms’

The ‘raddb/realms’ file lists remote Radius servers that are allowed to
communicate with the local Radius server (see section Proxying).

Each record consists of up to three fields, separated by whitespace.
Two of them are mandatory. The fields are:

Realm name

Specifies the name of the realm being defined, i.e. part of the login
name after the ‘@’ symbol. There are three special forms of this
field.

The name ‘NOREALM’ defines the empty realm, i.e. lines
marked with this name will match user names without any realm suffix.

The name ‘DEFAULT’ defines the default realm
(see section Realms). The lines with this realm name will match any user
name, not matched by any other line in ‘raddb/realms’.

Remote server list

A comma-separated list of remote servers to which the requests for this realm
should be forwarded. Each item in the list is:

servername[:auth-port[:acct-port]]

Optional auth-port and acct-port are the authentication and
accounting port numbers. If acct-port is omitted, it is computed
as auth-port + 1. If auth-port is omitted, the default
authentication port number is used.

The servers from this list are tried in turn until any of them replies
or the list is exhausted, whichever occurs first. The timeout value and
number of retries for each server are set via timeout and
retry flags (see below).

There may be cases where you would wish a particular realm to be
served by the server itself. It is tempting to write

# Wrong!
realm.name localhost

however, this will not work. The special form of the server list is
provided for this case. It is the word ‘LOCAL’. The correct
configuration line for the above case will thus be:

# Use this to declare a locally handled realm
realm.nam LOCAL

Flags (optional)

The flags meaningful in ‘raddb/realms’ are

ignorecase

Boolean value. When set, enables case-insensitive comparison of
realm names. For example, if a realm were defined as

myrealm.net remote.server.net:1812 ignorecase

then user name ‘user@MyREAlm.NeT’ will match this definition.

strip

Boolean value. Controls whether the realm name should be stripped off
the username before forwarding the request to the remote server. Setting
strip enables stripping, setting nostrip disables
it. Default is to always strip user names.

quota=num

Set maximum number of concurrent logins allowed from this realm to
the given value (num).

timeout

Number of seconds to wait for reply from the remote server before
retransmitting the request.

retries

Number of attempts to connect a server. If the server does not
respond after the last attempt, the next server from the list
is tried.